This module exports a safe-subset of DCLabel.Core,
implementing Disjunction Category Components.
The exported functions and constructors may be used by
untrusted code, guaranteeing that they cannot perform
anything unsafe.

Reduce a Component to LNF.
First it applies cleanComponent to remove duplicate principals
and categories. Following, it removes extraneous/redundant
categories. A category is said to be extraneous if there is another
category in the component that implies it.

Principal is a simple string representing a source of authority. Any piece
of code can create principals, regarless of how untrusted it is. However,
for principals to be used in integrity components or be ignoerd a
corresponding privilege (TCBPriv) must be created (by trusted code) or
delegated.

Privilegies

Privilege object is just a conjunction of disjunctions, i.e., Component.
A trusted privileged object must be introduced by trusted code, after which
trusted privileged objects can be created by delegation.